Misnamed attack report, missing pcap capture

[rufoa]

I'm having a couple of issues - not sure if they are due to HoneyBadger or one of its dependencies - hoping you can help me out.

I'm running golang 1.5.1 on Debian Jessie and using the libpcap DAQ. I've run the HB tests and they all pass.

When I follow the 'manual test' instructions, I see the injected stream in nc as expected.

However when I look in my archive directory, I only have one file, called []:[]-[]:[].attackreport.json so it looks like a .String() call has potentially gone wrong somewhere. (The actual contents of the file look correct.)

There also doesn't seem to be a pcap capture - but nor do I see any error messages - currently unsure what is causing this.

Please let me know what further info would be helpful to debug - I'm quite new to golang.

Many thanks

[david415]

ah yes that's an olde bug that sometimes shows up. i hope i get fix it soon. maybe later today... i don't have time right this minute.

[rufoa]

thanks for that - no rush

[david415]

i recently discovered that gopacket flows must be constructed using endpoints otherwise their String() method receiver breaks.

    localIP, localPort, remoteIP, remotePort := t.getTCP4Tuple(t.conn)
    srcIPEndpoint := layers.NewIPEndpoint(localIP)
    dstIPEndpoint := layers.NewIPEndpoint(remoteIP)
    srcTCPEndpoint := layers.NewTCPPortEndpoint(layers.TCPPort(localPort))
    dstTCPEndpoint := layers.NewTCPPortEndpoint(layers.TCPPort(remotePort))
    netFlow, err := gopacket.FlowFromEndpoints(srcIPEndpoint, dstIPEndpoint)
    tcpFlow, err := gopacket.FlowFromEndpoints(srcTCPEndpoint, dstTCPEndpoint)
    flow := types.NewTcpIpFlowFromFlows(netFlow, tcpFlow)